VYPR
← All advisories
High severity7.8NVD Advisory· Published Mar 25, 2026· Updated Apr 24, 2026

CVE-2026-23391

CVE-2026-23391

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: xt_CT: drop pending enqueued packets on template removal

Templates refer to objects that can go away while packets are sitting in nfqueue refer to:

  • helper, this can be an issue on module removal.
  • timeout policy, nfnetlink_cttimeout might remove it.

The use of templates with zone and event cache filter are safe, since this just copies values.

Flush these enqueued packets in case the template rule gets removed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel netfilter xt_CT module fails to flush queued packets when a template rule is removed, leading to use-after-free on helper or timeout policy objects.

Vulnerability

Overview

CVE-2026-23391 is a use-after-free vulnerability in the Linux kernel's netfilter subsystem, specifically in the xt_CT module. The root cause is that when a netfilter template rule is removed, any packets that are still enqueued in the nfqueue and reference that template are not flushed. These packets hold pointers to associated objects such as a connection tracking helper (which could be unloaded) or a timeout policy (which could be removed via nfnetlink_cttimeout_cttimeout). The template removal does not wait for or cancel these pending references, leaving dangling pointers that can be dereferenced after the objects are freed [1][2].

Exploitation

Conditions

An attacker must have the ability to create and remove a netfilter template rule while packets are still queued in the nfqueue. This typically requires local access with sufficient privileges to modify netfilter rules (e.g., root or CAP_NET_ADMIN). The vulnerability is triggered when a helper module is unloaded or a timeout policy is deleted while packets referencing the template remain in the nfqueue. No special network position is needed beyond the ability to trigger the rule removal [3][4].

Impact

If successfully exploited, an attacker could cause a use-after-free condition, leading to a kernel crash (denial of service) or potentially arbitrary code execution in kernel context. The CVSS v3 score of 7.8 (High) reflects the high impact on confidentiality, integrity, and availability, though exploitation requires local access and elevated privileges.

Mitigation

The fix is included in the Linux kernel stable branches as commits [1], [2], [3], and [4]. Users should update to a kernel version containing these patches. No workaround is available; the vulnerability is resolved by ensuring that all enqueued packets are flushed when a template rule is removed.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

10
  • Linux/Kernel10 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=3.4.1,<5.10.253
    • cpe:2.3:o:linux:linux_kernel:3.4:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
    • (no CPE)

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

0

No linked articles in our index yet.